Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Manage Ambari user roles

Solved Go to solution
Highlighted

Manage Ambari user roles

Expert Contributor

Dear community,

Is it possible to manage user roles not only from Ambari GUI? Blueprints? Some configs?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Manage Ambari user roles

Super Mentor

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

View solution in original post

6 REPLIES 6
Highlighted

Re: Manage Ambari user roles

Super Mentor
Highlighted

Re: Manage Ambari user roles

Expert Contributor

Thanks @Jay SenSharma

Ambari API is also ok. Is there a possibility to use Blueprints or ambari-server setup utility for this? Looked both but had not found proper option.

Highlighted

Re: Manage Ambari user roles

Super Mentor

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

View solution in original post

Re: Manage Ambari user roles

Expert Contributor

Thanks for answers. Will try to use API. However had not found any possibility to manage cluster roles with that tool.

Highlighted

Re: Manage Ambari user roles

To manage user role (aka privileges) through the API, there are several entry point that can be used.

To set an Ambari administrator:

/api/v1/clusters/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "type": "AMBARI",
      "permission_name": "AMBARI.ADMINISTRATOR",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change the principal_name (in the payload) value to the relevant username

To set a cluster role:

/api/v1/clusters/:CLUSTER_NAME/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "PERMISSION_NAME",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :CLUSTER_NAME (in the URL) to the relevant cluster's name
  • Change the permission_name (in the payload) value to the relevant permission name
    • CLUSTER.ADMINISTRATOR
    • CLUSTER.OPERATOR
    • SERVICE.ADMINISTRATOR
    • SERVICE.OPERATOR
    • CLUSTER.USER
  • Change the principal_name (in the payload) value to the relevant username

To give access to a view:

/api/v1/views/:VIEW_TYPE/versions/:VIEW_VERSION/instances/:VIEW_INSTANCE/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "VIEW.USER",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :VIEW_TYPE (in the URL) to the relevant view type (i.e., FILES)
  • Change :VIEW_VERSION (in the URL) to the relevant view type's version (i.e., 1.0.0)
  • Change :VIEW_INSTANCE (in the URL) to the relevant view type's version instance (i.e., MyFilesView)
  • Change the principal_name (in the payload) value to the relevant username
Highlighted

Re: Manage Ambari user roles

Expert Contributor

That I was looking into. May thanks!!!!

According to the above reply:

1) To delete privileges:

curl -H "X-Requested-By: ambari" -X DELETE -u admin:admin "https://yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/1"

2) To add:

curl -H "X-Requested-By: ambari" -X POST --data-binary "@your_privileges_file.json" -u admin:admin "https:///yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/"

Privilege example:

{
"PrivilegeInfo" : {
    "permission_name" : "CLUSTER.USER",
    "principal_name" : "your-group",
    "principal_type" : "GROUP"
  }
}
Don't have an account?
Coming from Hortonworks? Activate your account here